Cisco ASA - Radius - Invalid response received from server

scott.ackley · ‎05-20-2014

Hello,

We have run into an issue with Radius Authentication with one set of Cisco ASA Firewalls.

The issues is as follows:

Initially, the radius preshared key was not configured for our primary radius server. This was noticed and corrected immediately. However, upon correcting this, we started receiving the following error:

ERROR: Authentication Error: Invalid response received from server

I looked at the radius server and it reports that the user was successfully authenticated. The output of the debug aaa-server authentication is as follows:

ASA# test aaa-server authentication la-radius-group
Server IP Address or name: <RADIUS>
Username: <USERNAME>
Password: *********
INFO: Attempting Authentication test to IP address <RADIUS> (timeout: 10 seconds)
radius mkreq: 0x1fa
alloc_rip 0x00007ffecc0b3f48
new request 0x1fa --> 14 (0x00007ffecc0b3f48)
got user 'username'
got password
add_req 0x00007ffecc0b3f48 session 0x1fa id 14
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 65).....
| .

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 14 (0x0E)
Radius: Length = 65 (0x0041)
Radius: Vector: E27330A92ECF5C653AEB48E106C7F41D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = <ASA> (0xD04A88FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xE
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt <RADIUS>/1645
rip 0x00007ffecc0b3f48 state 7 id 14
rad_vrfy() : response message verified
rip 0x00007ffecc0b3f48
: chall_state ''
: state 0x7
: reqauth:
: info 0x00007ffecc0b4088
session_id 0x1fa
request_id 0xe
user '<USERNAME>'
response '***'
app 0
reason 0
skey '<KEY>'
sip <RADIUS>
type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 78).....

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 14 (0x0E)
Radius: Length = 78 (0x004E)
Radius: Vector: 206B152DB5DD5C7996E4F1DD650F96A9
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 6 (0x06)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 6 (0x06) Unknown
Radius: Length = 6 (0x06)
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
rad_procpkt: ACCEPT
RADIUS_DELETE
remove_req 0x00007ffecc0b3f48 session 0x1fa id 14
free_rip 0x00007ffecc0b3f48
radius: send queue empty
ERROR: Authentication Error: Invalid response received from server

When looking at the logs on the Radius Server, I receive the following entry:

"Network Policy Server granted access to a user."

We have cleared the configuration, rebooted the ASA, and re-applied the radius configuration and the issue persisted.

We have multiple Cisco Devices that connect to this RADIUS server and this is the only device that has an issue.

Has anyone seen this before? I have not seen any articles stating an issue like this.

Thank you for any help.

edwardcollins7 · ‎05-20-2014

Hey,

This response is seen when the response had something which the ASA did not like:

"Invalid response received from server"
I think you are using NPS, do you have detailed logs from there?

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

crister · ‎09-06-2022

I resolved this problem by following this guide when using NPS. You need to create a separate Connection Request and Network Policy sepcifically for ASA.

https://www.petenetlive.com/KB/Article/0000685

Crister

"Pay it forward."